Policy | Security | Investigation

HIPAA

June 12, 2009

Technology perennially introduces problems for compliance with law and regulation. But often technology can help alleviate those problems by fostering transparency and accountability.

Take for instance telemedicine, a promising family of technologies for making healthcare more affordable and accessible. Telemedicine allows, for example, a geographically remote physician to examine and treat a patient. It can do wonders for a patient in a rural clinic who needs attention from a specialist in a distant city. But telemedicine raises medical license issues for a physician in, say, Illinois who is treating a patient in Wyoming. If the Illinois specialist must become licensed in each state where her patients happen to be at the time she delivers care, then red tape will impede her practice of telemedicine.

Telemedicine also raises data security issues. On the Internet, data security law is bewilderingly confusing because authorities have recently issued a cacophony of new and very demanding laws, regulations and standards. Often these rules are poorly written and reflect expectations that are unrealistic in our networked society. Assorted guidance like HIPAA, state privacy regulations, breachnotification laws, "20 Critical Security Controls", PCI-DSS and others purport to tell us how to protect data that might be involved in a telemedicine transaction. But full, strict compliance with all these requirements is sparse if not impossible in the real world, as demonstrated by the daily parade of stories about how private data has leaked out of hospitals, corporations, universities, government agencies (federal, state, local and foreign) and every other organization under the sun.

So do these legal problems mean telemedicine is doomed? No. Just as Internet technology looks like a dark cloud to anyone seeking literal compliance with all applicable laws, information technology itself provides a silver lining. Technology engenders the transparency and accountability that are favored in law.

The Internet allows a practitioner of telemedicine to explain to regulators – and to prospective patients – what she is doing, the value of it and the risks associated with it. It enables the specialist doctor in Illinois to publicize, via web postings, how she is helping patients

in numerous other states, how she is taking rational steps (such as involving local doctors) to avoid or limit any medical injury in target states, and how she is endeavoring (albeit imperfectly) to protect private data. Through the Internet, she can invite any regulators or members of the public who have reservations or constructive suggestions about her activities to contact her and discuss.

IT further allows the specialist's telemedicine system to store copious, detailed records of what care was provided, when and how, including the good faith methods used to minimize any unlicensed practice of medicine and to safeguard the patient’s private data. Good records could even include full recordings of interactive videoconferences between patient and doctor. Good records are the basis for third-party review and accountability to the public.

Together, electronic transparency and accountability avoid a core evil that regulations abhor: a cover-up. So often, it is deception or cover-up that transforms a legally ambiguous situation into a violation of law. Here are four examples:

1. When computer crime experts differentiate good “white hat” computer security research from bad “black hat” hacking, a decisive factor is whether the suspect engaged in any trickery or concealment.

2. Martha Stewart did not go to jail for insider trading, though she did have inside information at the time of making a stock trade. She went to jail for attempting a cover-up of that trade, that is, obstructing an investigation into whether she had traded on insider information.

3. Arthur Andersen was not criminally convicted for the audit work it performed for Enron. Rather, a jury convicted Andersen for a cover-up, that is, destroying records that might be needed to review the audit work.

4. Law normally does not require a mere witness to crime to report it. But if the witness takes any step to prevent others from uncovering the crime, then the witness is herself guilty of the crime known as “misprision of a felony.”

Let me say all this another way: When literal compliance with complex law is difficult, parties are wise to talk candidly about the problem in public and about their good faith effort to comply. Candid communication can diminish expectations for strict compliance and can soften the law’s interpretation and enforcement.

Update 1: The technologies to support telemedicine are advancing to include more than just microphones and video cameras. Biomedical, Inc. has created a digestible computer chip, which will can transmit medical information from inside a patient. Don Clark, "Take Two Digital Pills and Call Me in the Morning," Wall Street Journal, Aug. 4, 2009. Imagine a patient who ingests such a pill at home; the pill relays information to a device connected to the patient's home computer, which forwards it via the Internet to a remote physician.

Update 2: As cheap new technologies enable consumers at home to collect floods of data about their vital signs, issues will arise concerning the unauthorized practice of medicine. A person (possibly a remote physician who is not licensed in the consumer's state) or a software program may help the consumer interpret the data. Would this help constitute unauthorized practice of medicine, if the person or software explicitly disclaims giving medical advice or diagnosing disease and recommends that the consumer consult a licensed physician?

A few years ago, Texas lawyers questioned whether self-help software was engaged in the unauthorized practice of law. The legislature then enacted special legislation to declare that software is not engaged in unauthorized practice -- so long as the software conspicuously states it is not a substitute for the advice of an attorney.

Some worry that healthcare reform in the US will lead to a shortage of doctors. Kirch, "How to Fix the Doctor Shortage," Wall St. J., Jan. 5, 2010. If a shortage does materialize, state regulators may be less inclined to conclude that help from software or remote physicians constitutes the unauthorized practice of medicine. Regulators may feel that software and remote physicians can help to reduce the wait times for people who really need an in-person visit with a doctor.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.